US20030177350A1 - Method of controlling network access in wireless environment and recording medium therefor - Google Patents
Method of controlling network access in wireless environment and recording medium therefor Download PDFInfo
- Publication number
- US20030177350A1 US20030177350A1 US10/383,729 US38372903A US2003177350A1 US 20030177350 A1 US20030177350 A1 US 20030177350A1 US 38372903 A US38372903 A US 38372903A US 2003177350 A1 US2003177350 A1 US 2003177350A1
- Authority
- US
- United States
- Prior art keywords
- authentication
- password
- user
- terminal
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/71—Hardware identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the present invention relates to a method of controlling access to a network and protecting communication data in a wireless environment. More particularly, the present invention relates to an access controlling method using a combination of a wireless local area network (hereinafter referred to as WLAN) terminal authentication and a user authentication.
- WLAN wireless local area network
- WLANs are LANs that transmit and receive data over the air between computers, or between a computer and a communication system other than a computer, without the need for wired connections.
- WLANS transmit and receive data using radio and infrared electromagnetic airwaves.
- WLANs have been developed with the recent rapid advancements of Internet services and wireless communication technologies. Because WLANs are easily installed and maintained, they are increasingly used for network connections between buildings and in places where establishing a wired network is difficult, such as in large-scale offices and distribution centers. However, WLANs provide poor security as compared to wired networks because, theoretically, anybody may access the transmission medium.
- An authentication mechanism in a conventional IEEE802.11b system is classified into two mechanisms, an open-system authentication mechanism and a shared-key authentication mechanism. Only the shared-key authentication mechanism performs authentication using an actual key.
- the open-system authentication mechanism uses an empty character stream opened upon a WLAN card authentication based on an access point.
- the access point may be connected to a WLAN card device after unconditionally authenticating the card device, even if the card device does not provide accurate authentication information.
- the shared-key authentication mechanism a particular character stream proposed by an access point to a WLAN card in a challenge procedure is coded into a predetermined key in a response procedure through a challenge-response communication.
- a pre-determined shared key is used to code the character stream in the response procedure before resuming communications. Then, the coded character stream may be connected to an access point only if it passes the authentication procedure, thereby obtaining an authentication to be transmitted from the WLAN card to the access point.
- an IEEE802.11b system a terminal authenticates itself to an access point using a WEP supplied by a media access control (MAC) layer.
- MAC media access control
- an IEEE802.11a system may adopt an authentication method using a WEP or a method of defining an authentication protocol in an IEEE802.1X environment identical to or superior to the MAC layer.
- An authentication protocol using a WEP is based on a challenge-response method using algorithms for challenge and response procedures.
- a terminal codes a challenge received at an access point using a shared key and a WEP and transmits the code to the access point
- the access point decodes the challenge using a previously shared key, thereby authenticating the challenger.
- the authentication protocol using WEP offers no safety against attacks made on a current WEP algorithm.
- the other authentication method proposed by an IEEE802.11a system is to authenticate a terminal on a level equal to or higher than an MAC layer.
- This authentication method is based on an authentication protocol using an extensible authentication protocol (EAP) in an IEEE802.1X environment, but requires a concrete authentication protocol in order to perform authentication at a level equal to or higher than the MAC layer.
- EAP extensible authentication protocol
- the IEEE802.1X environment does not define a concrete authentication protocol.
- the proposed concrete authentication protocol could be applied to provide a terminal authentication function.
- an unauthorized user that acquired a terminal may access a network although he or she is not the original owner of the terminal. Therefore, user access to enterprise networks and public access services must be controlled.
- Next-generation terminals provide access to several wireless links. When these access points are realized within a terminal, authentications for several wireless accesses are required. In order to receive a mutual exchange service of several wireless accesses, a terminal must support authentication for the mutual wireless access. To achieve this, wireless access techniques require an independent mechanism.
- a password authentication method is convenient and therefore widely used.
- general authentication systems using a password provide a low degree of freedom for a user to select a password.
- a password having a size of k bits is selected, and a probability that each of the k bits is 0 or 1 is 0.5, the k-bit password becomes an arbitrary random key. Guessing the random key means making a list of 2 k random password candidates.
- random selection is almost impossible, and thus the user is exposed to an off-line password guessing attack.
- a network access controlling method in a wireless environment including completion of a terminal authentication using a MAC-ID by an access point, inputting of a password P by a user to a password authentication client, completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password input by the user, and accessing an external or internal network such as the Internet or an intranet by the terminal, if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved.
- the terminal authentication may be performed in an IEEE802.1X environment.
- the network access controlling method may further include, if the user is the original possessor of the terminal, after the terminal authentication and before the inputting of the password, assigning the terminal an Internet Protocol (IP) address and downloading the password authentication client from the authentication server.
- IP Internet Protocol
- the present invention relates to a method of allowing a user's access to a network through “user authentication in a broad meaning”.
- the user authentication in a broad meaning may be understood as embracing both a method of controlling a user's access to a network by authenticating the terminal used by the user and a method of authenticating the user.
- the method of controlling a user's access to a network through terminal authentication is performed in a situation when the user uses his or her dedicated terminal, such as a mobile phone.
- the user's dedicated terminal has a unique identifier.
- the network authenticates the terminal using the terminal's unique identifier, allowing the user to access the network.
- This method provides easy access to the network, with no user participation in the authentication process.
- network access control using only terminal authentication poses security problems, in that any person acquiring access to the terminal may be allowed to access the network. That is, unauthorized users may access the network through other people's terminals.
- terminal authentication is based on the identifier of a terminal and therefore, terminal authentication is dependent on the wireless link access technique of the terminal. As a result, terminal authentication is unable to use other wireless link access techniques.
- user authentication is used to control a user's access to a network by authenticating the user regardless of which terminal the user uses.
- User authentication has a disadvantage in that the user must undergo an authentication process.
- user authentication is important in directly authenticating a user who actually accesses a network.
- user authentication it is possible to authenticate a user regardless of terminals and wireless link access techniques.
- a feature of the present invention is that user authentication is based on a password known by a user. The present invention provides easy control of network access at a user level.
- FIG. 1 is a block diagram for illustrating a network access controlling method according to the present invention.
- FIG. 2 is a flowchart for illustrating a network access controlling method according to the present invention.
- Korean Patent Application No. 2002-14276 filed on Mar. 16, 2002, and entitled: “Method Of Controlling Network Access In Wireless Environment And Recording Medium Therefor,” is incorporated by reference herein in its entirety.
- the present invention includes a step of authenticating a terminal possessed by a user and a step of authenticating the user using a password chosen by the user.
- the main bodies of action which are a terminal, an access point, and an authentication server existing in a network, are required to perform user authentication according to the present invention.
- FIG. 1 shows the components of a WLAN environment.
- terminals 100 a and 100 b have MAC protocol stacks 10 a and 10 b (e.g., IEEE802.11), respectively, and have frameworks 20 a and 20 b (e.g., IEEE802.1X), respectively, on a second layer.
- the MAC protocol stacks 10 a and 10 b are capable of accessing a wireless link, and the frameworks 20 a and 20 b enable authentication of a terminal.
- the terminals 100 a and 100 b include processors (not shown) for receiving a password from a user and processing the received password.
- the terminal 100 a and an access point 120 a constitute a first wireless network, and the terminal 100 b and an access point 120 b constitute a second wireless network.
- the terminals 100 a and 100 b are unable to access a host in a wired network without being authenticated by the access points 120 a and 120 b .
- the manner in which the access points 120 a and 120 b process packets of the terminals 100 a and 100 b differs depending on where the authentication is performed. For example, in an IEEE802.1X environment, authentication-related packets sent by the terminals 100 a and 100 b are transmitted to an authentication server 140 in the wired network without undergoing authentication by the access points 120 a and 120 b.
- the authentication server 140 processes authentication messages requested by the terminals 100 a and 100 b , and stores session information from the terminals 100 a and 100 b . Therefore, it is possible to charge a user based on the session information stored by the authentication server 140 .
- the authentication server 140 stores personal information regarding users and records information regarding services used by the users.
- reference numeral 150 denotes a portal.
- n arbitrary large prime number
- A, B characters representing a user and an authentication server, respectively
- v a password verifier stored in an authentication server
- x A , x B arbitrary private keys of a user terminal and an authentication server, respectively
- c A a confounder of a user terminal, generally long random value
- h(•) a unidirectional hash function
- E x (•) a symmetric key coding algorithm in which x is used as a private key. Since x can have an arbitrary length, a coding algorithm having a key of variable size, such as Blowfish [Sch93], may be used for security, and an Advanced Encryption Standard (AES) newly established as a block coding algorithm standard by the U.S. National Institute of Standard and Technology may also be used.
- AES Advanced Encryption Standard
- K a session key that is shared by a user and an authentication server and may be used for encryption communications later.
- a method of controlling user access to a network includes two steps. First, authentication for a terminal is performed. Next, authentication for a user of the terminal is performed using a password, in step 300 . Authentication for the user of a terminal using a password is performed after the following preparatory operations in step 200 .
- the primitive element g for the mod n is obtained by selecting the arbitrary large prime number n.
- n and g correspond to information shared by a user terminal and an authentication server.
- h(•) is a unidirectional hash function.
- the user transmits the value of the password verifier v to the authentication server via a safe channel.
- step 300 for network access may be omitted.
- authentication of a terminal is completed using an MAC-ID in an IEEE802.1X environment.
- IP Internet Protocol
- DHCP dynamic host configuration protocol
- the address of the authentication server is brought up.
- the authentication server downloads a password authentication client.
- a user inputs his or her password to the password authentication client.
- the terminal accesses an external/internal network, such as the Internet or an intranet, after authentication is approved.
- an external/internal network such as the Internet or an intranet
- step 300 network access
- step 200 password registration and preparatory operations
- the password authentication client produces three random values x A , c A , and r.
- the password authentication client transmits the values z 1 , y A , and r to the authentication server via an access point.
- the length of a required key differs according to a symmetric key encoding system used, but the length of a key required by the password verifier may start from the most significant bit (MSB).
- a required key length starting from the MSB of y B is obtained according to the used symmetric key encoding system.
- a user may be authenticated by using a password in a WLAN environment. Therefore, regardless of the number of wireless accesses available, a user may be authenticated, thereby allowing a terminal to be authenticated even when it roams over a variety of networks.
- passwords in the present invention make both user-level management and an inter-technology hand off function possible.
- Mutual authentication is also possible without a public key infrastructure (PKI).
- PKI public key infrastructure
- IKE Internet key exchange
- IPSec IP security
- the present invention uses a password-dependent authentication method, so that an authentication system may be easily established without the PKI. Accordingly, authentication by the present invention is efficiently performed.
- the present invention it is possible to determine whether a user has the same key as that of an authentication server.
- Communication data protected by the present invention is safe from password attacks worked in a conventional system using a general password.
- authentication of a terminal and a user are performed independently, thereby adding an extra layer of protection.
- the present invention provides shared secret information, with which encoding communications are performed.
- a key known in any session does not include information on a key used in any other session.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
A network access controlling method in a wireless environment, including an access point completes authenticating a terminal using an MAC-ID. Next, a user inputs a password to a password authentication client. Then, authentication between the password authentication client and an authentication server is performed based on the input password. Thereafter, the terminal accesses an external/internal network (e.g., Internet/intranet) if the terminal authentication and the authentication based on the password are approved. Otherwise, the terminal transmits an authentication failure message to the user.
Description
- 1. Field of the Invention
- The present invention relates to a method of controlling access to a network and protecting communication data in a wireless environment. More particularly, the present invention relates to an access controlling method using a combination of a wireless local area network (hereinafter referred to as WLAN) terminal authentication and a user authentication.
- 2. Description of the Related Art
- Generally, WLANs are LANs that transmit and receive data over the air between computers, or between a computer and a communication system other than a computer, without the need for wired connections. WLANS transmit and receive data using radio and infrared electromagnetic airwaves. WLANs have been developed with the recent rapid advancements of Internet services and wireless communication technologies. Because WLANs are easily installed and maintained, they are increasingly used for network connections between buildings and in places where establishing a wired network is difficult, such as in large-scale offices and distribution centers. However, WLANs provide poor security as compared to wired networks because, theoretically, anybody may access the transmission medium.
- In this regard, many security services have been developed, such as encryption, access control, authentication, non-repudiation, integrity, etc., all of which are important. However, the authentication function is particularly important when considering quality communication services. In a WLAN, proper authentication is performed prior to encryption and access control. In a public WLAN, authentication with respect to a terminal is necessarily required to provide a WLAN service that charges users. However, in a WLAN system, the security function of a mechanism for authentication using an existing wired equivalent privacy (WEP) protocol does not work against many attacks.
- An authentication mechanism in a conventional IEEE802.11b system is classified into two mechanisms, an open-system authentication mechanism and a shared-key authentication mechanism. Only the shared-key authentication mechanism performs authentication using an actual key. The open-system authentication mechanism uses an empty character stream opened upon a WLAN card authentication based on an access point. The access point may be connected to a WLAN card device after unconditionally authenticating the card device, even if the card device does not provide accurate authentication information. In the shared-key authentication mechanism, a particular character stream proposed by an access point to a WLAN card in a challenge procedure is coded into a predetermined key in a response procedure through a challenge-response communication. A pre-determined shared key is used to code the character stream in the response procedure before resuming communications. Then, the coded character stream may be connected to an access point only if it passes the authentication procedure, thereby obtaining an authentication to be transmitted from the WLAN card to the access point.
- In an IEEE802.11b system, a terminal authenticates itself to an access point using a WEP supplied by a media access control (MAC) layer. In order to authenticate a terminal to an access point by improving an existing authentication mechanism, an IEEE802.11a system may adopt an authentication method using a WEP or a method of defining an authentication protocol in an IEEE802.1X environment identical to or superior to the MAC layer.
- An authentication protocol using a WEP is based on a challenge-response method using algorithms for challenge and response procedures. In this method, when a terminal codes a challenge received at an access point using a shared key and a WEP and transmits the code to the access point, the access point decodes the challenge using a previously shared key, thereby authenticating the challenger. However, the authentication protocol using WEP offers no safety against attacks made on a current WEP algorithm.
- The other authentication method proposed by an IEEE802.11a system is to authenticate a terminal on a level equal to or higher than an MAC layer. This authentication method is based on an authentication protocol using an extensible authentication protocol (EAP) in an IEEE802.1X environment, but requires a concrete authentication protocol in order to perform authentication at a level equal to or higher than the MAC layer. The IEEE802.1X environment does not define a concrete authentication protocol.
- If the IEEE802.1X environment were to propose a concrete authentication protocol, the proposed concrete authentication protocol could be applied to provide a terminal authentication function. However, in a security service based on terminal authentication, an unauthorized user that acquired a terminal may access a network although he or she is not the original owner of the terminal. Therefore, user access to enterprise networks and public access services must be controlled.
- Next-generation terminals provide access to several wireless links. When these access points are realized within a terminal, authentications for several wireless accesses are required. In order to receive a mutual exchange service of several wireless accesses, a terminal must support authentication for the mutual wireless access. To achieve this, wireless access techniques require an independent mechanism.
- To authenticate a user, a password authentication method is convenient and therefore widely used. However, general authentication systems using a password provide a low degree of freedom for a user to select a password. When a password having a size of k bits is selected, and a probability that each of the k bits is 0 or 1 is 0.5, the k-bit password becomes an arbitrary random key. Guessing the random key means making a list of 2k random password candidates. However, when a user selects a password, random selection is almost impossible, and thus the user is exposed to an off-line password guessing attack.
- In an effort to solve these and other problems, it is a feature of an embodiment of the present invention to provide a network access controlling method having improved security as compared to a conventional method by using both terminal authentication and user authentication in a place requiring authentication as a way of controlling network accesses through a terminal, such as in a wireless local area network service, and a recording medium for storing software codes of the network access controlling method.
- To provide this feature of the present invention, there is provided a network access controlling method in a wireless environment, the method including completion of a terminal authentication using a MAC-ID by an access point, inputting of a password P by a user to a password authentication client, completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password input by the user, and accessing an external or internal network such as the Internet or an intranet by the terminal, if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved.
- The terminal authentication may be performed in an IEEE802.1X environment.
- The network access controlling method may further include, if the user is the original possessor of the terminal, after the terminal authentication and before the inputting of the password, assigning the terminal an Internet Protocol (IP) address and downloading the password authentication client from the authentication server.
- The network access controlling method may further include, as preparatory operations for the inputting of the password P, selecting an arbitrary large prime number n and obtaining a primitive element g for a mod n, the large prime number n and the primitive element g corresponding to information shared by the terminal and the authentication server, selection of the password P and calculation of a password verifier v=gh(P) by the user, transmittal by the user of the password verifier v to the authentication server via a safe channel, wherein h(•) denotes a unidirectional hash function.
- In the network access controlling method, performing authentication between the password authentication client and an authentication server may include calculation and storage of the password verifier v=gh(P) by the password authentication client based on the password P input by the user, production by the password authentication client of three random values, which are a secret key xA of the terminal, a confounder cA of the terminal, and an arbitrary value r, and calculation of a public key yA=gxA of the terminal and a value z1=h(yA, v, cA) using the secret key xA and the confounder cA of the terminal and the password verifier v, transmittal of the calculated values z1 and yA and the arbitrary value r by the password authentication client to the authentication server via the access point, performing storage of the received values z1 and yA and production of a secret key xB of the authentication server by the authentication server to calculate a public key of the authentication server, yB=gxB, calculation of a session key K=yA xB and a value h1=h(r, v, K), by the authentication server based on the received values yA and r, transmittal by the authentication server to the password authentication client of a message z2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v, the password authentication client decoding the received message z2 using the symmetric key encoding system based on a decoding key derived from the password verifier v, calculating and storing a session key K=yB xA, calculating h′=h(r, v, K) using the calculated session key, decoding the calculated value h′, and determining if the decoded value h′ is equal to the received value h1, if h′ is not equal to h1, the password authentication client stopping message exchange with the authentication server, and if h′ is equal to h1, the password authentication client transmitting, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and cA are encoded based on a key induced from the public key yB of the authentication server, the authentication server decoding the received value z3 using a key induced from yB and stopping message exchange with the user authentication client if K=yB xA is not equal to K=AxB, and if K=yB xA is equal to K=yA xB, calculating a value h″=h(yA, v, cA) based on the value yA stored in and the decoded cA, and determining if h″ is equal to z1, and if h″ is equal to z1, approval by the authentication server of a user authentication, and if h″ is not equal to z1, disapproval of the user authentication by the authentication server, wherein Ex(•) denotes a symmetric key encoding algorithm using x as a secret key.
- The present invention relates to a method of allowing a user's access to a network through “user authentication in a broad meaning”. The user authentication in a broad meaning may be understood as embracing both a method of controlling a user's access to a network by authenticating the terminal used by the user and a method of authenticating the user.
- The method of controlling a user's access to a network through terminal authentication is performed in a situation when the user uses his or her dedicated terminal, such as a mobile phone. Obviously, the user's dedicated terminal has a unique identifier. The network authenticates the terminal using the terminal's unique identifier, allowing the user to access the network. This method provides easy access to the network, with no user participation in the authentication process. However, network access control using only terminal authentication poses security problems, in that any person acquiring access to the terminal may be allowed to access the network. That is, unauthorized users may access the network through other people's terminals. Also, terminal authentication is based on the identifier of a terminal and therefore, terminal authentication is dependent on the wireless link access technique of the terminal. As a result, terminal authentication is unable to use other wireless link access techniques.
- On the other hand, user authentication is used to control a user's access to a network by authenticating the user regardless of which terminal the user uses. User authentication has a disadvantage in that the user must undergo an authentication process. However, user authentication is important in directly authenticating a user who actually accesses a network. In user authentication, it is possible to authenticate a user regardless of terminals and wireless link access techniques. A feature of the present invention is that user authentication is based on a password known by a user. The present invention provides easy control of network access at a user level.
- The above features and advantages of the present invention will become more apparent to those of ordinary skill in the art by describing in detail preferred embodiments thereof with reference to the attached drawings in which:
- FIG. 1 is a block diagram for illustrating a network access controlling method according to the present invention; and
- FIG. 2 is a flowchart for illustrating a network access controlling method according to the present invention.
- Korean Patent Application No. 2002-14276, filed on Mar. 16, 2002, and entitled: “Method Of Controlling Network Access In Wireless Environment And Recording Medium Therefor,” is incorporated by reference herein in its entirety.
- The present invention will now be described more fully with respect to the accompanying drawings, in which a preferred embodiment of the invention is shown. This invention may, however, be embodied in different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
- For user authentication, the present invention includes a step of authenticating a terminal possessed by a user and a step of authenticating the user using a password chosen by the user. Also, the main bodies of action, which are a terminal, an access point, and an authentication server existing in a network, are required to perform user authentication according to the present invention. FIG. 1 shows the components of a WLAN environment.
- Referring to FIG. 1,
terminals frameworks 20 a and 20 b (e.g., IEEE802.1X), respectively, on a second layer. The MAC protocol stacks 10 a and 10 b are capable of accessing a wireless link, and theframeworks 20 a and 20 b enable authentication of a terminal. Theterminals access point 120 a constitute a first wireless network, and the terminal 100 b and anaccess point 120 b constitute a second wireless network. Theterminals access points access points terminals terminals authentication server 140 in the wired network without undergoing authentication by theaccess points - The access points120 a and 120 b are required to access a wired network by a wireless access, and send an authentication-related packet using a password, which is used in the present invention, to the
authentication server 140 in the wired network without any processing. In an IEEE802.1X environment, it is possible for an access point to simply perform an authentication server function, or to transmit an authentication-related packet to an authentication server while an authentication server in a LAN is assigned to perform a local authentication function. - The
authentication server 140 processes authentication messages requested by theterminals terminals authentication server 140. - That is, the
authentication server 140 stores personal information regarding users and records information regarding services used by the users. - In FIG. 1,
reference numeral 150 denotes a portal. - Basic operations and parameters required to authenticate a user using a password are as follows.
- n: arbitrary large prime number
- g: primitive element for mod n
- P: user's password
- A, B: characters representing a user and an authentication server, respectively
- v: a password verifier stored in an authentication server
- xA, xB: arbitrary private keys of a user terminal and an authentication server, respectively
- yA, yB: arbitrary public keys of a user terminal and an authentication server, respectively. Here, yA=gxA, and yB=gxB (where the uses of xA and yA are slightly different from those of a private key and a public key, respectively, which are used in a general public key coding system).
- cA: a confounder of a user terminal, generally long random value
- h(•): a unidirectional hash function
- Ex(•): a symmetric key coding algorithm in which x is used as a private key. Since x can have an arbitrary length, a coding algorithm having a key of variable size, such as Blowfish [Sch93], may be used for security, and an Advanced Encryption Standard (AES) newly established as a block coding algorithm standard by the U.S. National Institute of Standard and Technology may also be used.
- K: a session key that is shared by a user and an authentication server and may be used for encryption communications later.
- Referring to FIG. 2, a method of controlling user access to a network according to an embodiment of the present invention, includes two steps. First, authentication for a terminal is performed. Next, authentication for a user of the terminal is performed using a password, in
step 300. Authentication for the user of a terminal using a password is performed after the following preparatory operations instep 200. - [
Step 200 for password registration and preparatory operations] - First, the primitive element g for the mod n is obtained by selecting the arbitrary large prime number n. Here, n and g correspond to information shared by a user terminal and an authentication server.
- Next, a user selects his or her password P and calculates the password verifier v=gh(P). As described above, h(•) is a unidirectional hash function.
- Thereafter, the user transmits the value of the password verifier v to the authentication server via a safe channel.
- A process in which the user acquires a terminal for the first time and gains authentication from the authentication server will now be described. If the user is not the first user in a certain domain, the fourth sub-step in
step 300 for network access may be omitted. - [
Step 300 for network access] - In the first sub-step, authentication of a terminal is completed using an MAC-ID in an IEEE802.1X environment.
- In the second sub-step, an Internet Protocol (IP) address is allocated using a dynamic host configuration protocol (DHCP) server or the like.
- In the third sub-step, the address of the authentication server is brought up.
- In the fourth sub-step, the authentication server downloads a password authentication client.
- In the fifth sub-step, a user inputs his or her password to the password authentication client.
- In the sixth sub-step, authentication between the password authentication client and the authentication server is completed based on the password input by the user.
- In the seventh sub-step, the terminal accesses an external/internal network, such as the Internet or an intranet, after authentication is approved.
- Hereinafter, the sixth sub-step of step300 (network access) will be described in greater detail. Step 200 (password registration and preparatory operations) must be performed before the sixth sub-step for authentication.
- In the sixth sub-step, first, the password authentication client calculates a password verifier v=gh(P), based on a password P input by the user.
- Second, the password authentication client produces three random values xA, cA, and r.
- Third, yA=gxA and z1=h(yA, v, cA) are calculated using the produced random values.
- Fourth, the password authentication client transmits the values z1, yA, and r to the authentication server via an access point.
- Fifth, the authentication server stores the received values z1 and yA and produces a random value xB to calculate yB=gxB.
- Sixth, the authentication server calculates a session key K=yA xB and a value h1=h(r, v, K), based on the received values yA and r.
- Seventh, the authentication server transmits to the password authentication client a message z2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v of the user. Here, the length of a required key differs according to a symmetric key encoding system used, but the length of a key required by the password verifier may start from the most significant bit (MSB).
- Eighth, the password authentication client decodes the received encoded message z2 using the symmetric key encoding system based on a decoding key derived from the password verifier v of the user, and calculates and stores a session key K=yB xA. Thereafter, the password authentication client calculates a value h′=h(r, v, K) using the calculated session key and determines if the calculated value h′ is equal to the received value h1. If h′ and h1 are not equal, the password authentication client stops a message exchange with the authentication server.
- Ninth, if h′ and h1 are equal, the password authentication client transmits, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and CA are encoded based on a key derived from the public key yB of the authentication server. A required key length starting from the MSB of yB is obtained according to the used symmetric key encoding system.
- Tenth, the authentication server decodes the received z3 using a key derived from yB and determines if K=yB xA is equal to K=yA xB. If K=yB xA is not equal to K=yA xB, the authentication server stops a message exchange with the user authentication client. If K=yB xA is equal to K=yA xB, the authentication server calculates a value h″=h(yA , v, c A) based on yA stored in the fifth step and the decoded cA and determines if h″ is equal to z1. If h″ is equal to z1, the authentication server transmits a user authentication success message to the password client. If h″ is not equal to z1, the authentication server transmits a user authentication failure message to the password client.
- After authentication between the password authentication client and the authentication server is completed, new secrete information enabling encryption communications are shared by the user and the authentication server.
- As described above, by the present invention, a user may be authenticated by using a password in a WLAN environment. Therefore, regardless of the number of wireless accesses available, a user may be authenticated, thereby allowing a terminal to be authenticated even when it roams over a variety of networks.
- The use of passwords in the present invention, as opposed to conventional management using a media access control identifier (MAC-ID), makes both user-level management and an inter-technology hand off function possible. Mutual authentication is also possible without a public key infrastructure (PKI). An Internet key exchange (IKE), which is an authentication protocol used in IP security (IPSec), depends on the PKI or an equivalent in order to authenticate an opposite party. However, the present invention uses a password-dependent authentication method, so that an authentication system may be easily established without the PKI. Accordingly, authentication by the present invention is efficiently performed.
- According to the present invention, it is possible to determine whether a user has the same key as that of an authentication server. Communication data protected by the present invention is safe from password attacks worked in a conventional system using a general password. In the present invention, authentication of a terminal and a user are performed independently, thereby adding an extra layer of protection. Further, after authentication of a terminal and a client, the present invention provides shared secret information, with which encoding communications are performed. Finally, in the method of the present invention, a key known in any session does not include information on a key used in any other session.
- A protocol for mutual authentication and key exchange between a user and an authentication server, according to the present invention, mainly performs a hash function and a symmetric encoding algorithm except when each host performs modular exponentiation one time to achieve a Diffe-Hellman key exchange. Thus, fast authentication and key exchange are realized.
- Preferred embodiments of the present invention have been disclosed herein and, although specific terms are employed, they are used and are to be interpreted in a generic and descriptive sense only and not for purpose of limitation. Accordingly, it will be understood by those of ordinary skill in the art that various changes in form and details may be made without departing from the spirit and scope of the present invention as set forth in the following claims.
Claims (10)
1. A network access controlling method in a wireless environment, the method comprising:
(a) completion of a terminal authentication using a MAC-ID by an access point;
(b) inputting of a password P by a user to a password authentication client;
(c) completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password P input by the user; and
(d) accessing an external or internal network such as the Internet or an intranet by the terminal if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved.
2. The network access controlling method as claimed in claim 1 , wherein (a) is performed in an IEEE802.1X environment.
3. The network access controlling method as claimed in claim 1 , further comprising, if the user is the original possessor of the terminal, between (a) and (b):
assigning the terminal an Internet Protocol (IP) address; and
downloading the password authentication client from the authentication server.
4. The network access controlling method as claimed in claim 1 , further comprising as preparatory operations for (b):
(b-1) selecting an arbitrary large prime number n and obtaining a primitive element g for a mod n, the large prime number n and the primitive element g corresponding to information shared by the terminal and the authentication server;
(b-2) selection of the password P and calculation of a password verifier v=gh(P) by the user; and
(b-3) transmittal by the user of the password verifier v to the authentication server via a safe channel,
wherein h(•) denotes a unidirectional hash function.
5. The network access controlling method as claimed in claim 1 , wherein (c) comprises:
(c-1) calculation and storage of the password verifier v=gh(P) by the password authentication client based on the password P input by the user;
(c-2) production by the password authentication client of three random values, which are a secret key xA of the terminal, a confounder cA of the terminal, and an arbitrary value r, and calculation of a public key yA=g xA of the terminal, and a value z1=h(yA, v, cA) using the secret key xA and the confounder cA of the terminal and the password verifier v;
(c-3) transmittal of the calculated values z1 and yA and the arbitrary value r by the password authentication client to the authentication server via the access point;
(c-4) performing storage of the received values z1 and yA and production of a secret key xB of the authentication server by the authentication server to calculate a public key of the authentication server, yB=gxB;
(c-5) calculation of a session key K=yA xB, and a value h1=h(r, v, K), by the authentication server based on the received values yA and r;
(c-6) transmittal, by the authentication server to the password authentication client, of a message z2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v;
(c-7) the password authentication client decoding the received message z2 using the symmetric key encoding system based on a decoding key derived from the password verifier v, calculating and storing a session key K=yB xA, calculating a value h′=h(r, v, K) using the calculated session key, decoding the calculated value h′, and determining if the decoded value h′ is equal to the received value h1;
(c-8) if h′ is not equal to h1, the password authentication client stopping message exchange with the authentication server, and if h′ is equal to h1, the password authentication client transmitting, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and cA are encoded based on a key derived from the public key yB of the authentication server;
(c-9) the authentication server decoding the received value z3 using a key derived from yB and stopping message exchange with the user authentication client if K=yB xA is not equal to K=yA xB, and if K=yB xA is equal to K=yA xB, calculating a value h″=h(yA , v, c A ) based on the value y A stored in (c-4) and the decoded cA, and determining if h″ is equal to z1; and
(c-10) if h″ is equal to z1, approval by the authentication server of a user authentication, and if h″ is not equal to z1, disapproval of the user authentication by the authentication server,
wherein Ex(•) denotes a symmetric key encoding algorithm using x as a secret key.
6. A computer readable recording medium that stores a computer program for executing the method claimed in claim 1 .
7. A computer readable recording medium that stores a computer program for executing the method claimed in claim 2 .
8. A computer readable recording medium that stores a computer program for executing the method claimed in claim 3 .
9. A computer readable recording medium that stores a computer program for executing the method claimed in claim 4 .
10. A computer readable recording medium that stores a computer program for executing the method claimed in claim 5.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR2002-14276 | 2002-03-16 | ||
KR1020020014276A KR100883648B1 (en) | 2002-03-16 | 2002-03-16 | Method of access control in wireless environment and recording medium in which the method is recorded |
Publications (1)
Publication Number | Publication Date |
---|---|
US20030177350A1 true US20030177350A1 (en) | 2003-09-18 |
Family
ID=27764648
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/383,729 Abandoned US20030177350A1 (en) | 2002-03-16 | 2003-03-10 | Method of controlling network access in wireless environment and recording medium therefor |
Country Status (6)
Country | Link |
---|---|
US (1) | US20030177350A1 (en) |
EP (1) | EP1345386B1 (en) |
JP (1) | JP3863852B2 (en) |
KR (1) | KR100883648B1 (en) |
CN (1) | CN1206838C (en) |
DE (1) | DE60313910T2 (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040054798A1 (en) * | 2002-09-17 | 2004-03-18 | Frank Ed H. | Method and system for providing seamless connectivity and communication in a multi-band multi-protocol hybrid wired/wireless network |
US20040255154A1 (en) * | 2003-06-11 | 2004-12-16 | Foundry Networks, Inc. | Multiple tiered network security system, method and apparatus |
US20060059538A1 (en) * | 2004-09-13 | 2006-03-16 | Xcomm Box, Inc. | Security system for wireless networks |
US7024690B1 (en) * | 2000-04-28 | 2006-04-04 | 3Com Corporation | Protected mutual authentication over an unsecured wireless communication channel |
US20060080534A1 (en) * | 2004-10-12 | 2006-04-13 | Yeap Tet H | System and method for access control |
US20070174906A1 (en) * | 2005-11-15 | 2007-07-26 | Credant Technologies, Inc. | System and Method for the Secure, Transparent and Continuous Synchronization of Access Credentials in an Arbitrary Third Party System |
US20070260882A1 (en) * | 2004-11-04 | 2007-11-08 | David Lefranc | Method for Secure Delegation of Calculation of a Bilinear Application |
US20090260083A1 (en) * | 2003-05-21 | 2009-10-15 | Foundry Networks, Inc. | System and method for source ip anti-spoofing security |
US20090265785A1 (en) * | 2003-05-21 | 2009-10-22 | Foundry Networks, Inc. | System and method for arp anti-spoofing security |
US20100223654A1 (en) * | 2003-09-04 | 2010-09-02 | Brocade Communications Systems, Inc. | Multiple tiered network security system, method and apparatus using dynamic user policy assignment |
US20100325700A1 (en) * | 2003-08-01 | 2010-12-23 | Brocade Communications Systems, Inc. | System, method and apparatus for providing multiple access modes in a data communications network |
US20100333191A1 (en) * | 2003-09-23 | 2010-12-30 | Foundry Networks, Inc. | System and method for protecting cpu against remote access attacks |
US7996894B1 (en) * | 2005-02-15 | 2011-08-09 | Sonicwall, Inc. | MAC address modification of otherwise locally bridged client devices to provide security |
US8528071B1 (en) | 2003-12-05 | 2013-09-03 | Foundry Networks, Llc | System and method for flexible authentication in a data communications network |
US20130242967A1 (en) * | 2003-03-14 | 2013-09-19 | Canon Kabushiki Kaisha | Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to |
US20160277420A1 (en) * | 2015-03-16 | 2016-09-22 | International Business Machines Corporation | File and bit location authentication |
CN110831003A (en) * | 2018-08-13 | 2020-02-21 | 广东亿迅科技有限公司 | Authentication method and system based on WLAN flexible access network |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100458955B1 (en) * | 2002-04-18 | 2004-12-03 | (주) 시큐컴 | Security method for the Wireless LAN |
GB0325978D0 (en) * | 2003-11-07 | 2003-12-10 | Siemens Ag | Transparent authentication on a mobile terminal using a web browser |
GB0325980D0 (en) * | 2003-11-07 | 2003-12-10 | Siemens Ag | Secure authentication in a mobile terminal using a local proxy |
US7743405B2 (en) | 2003-11-07 | 2010-06-22 | Siemens Aktiengesellschaft | Method of authentication via a secure wireless communication system |
CN100450137C (en) * | 2003-11-12 | 2009-01-07 | 华为技术有限公司 | Realizing method for mobile phone user to access to internet |
KR100674632B1 (en) * | 2004-07-16 | 2007-01-26 | 재단법인서울대학교산학협력재단 | Mobile Code Authentication Schemes that Permit Overlapping of Execution and Downloading |
EP1635528A1 (en) * | 2004-09-13 | 2006-03-15 | Alcatel | A method to grant access to a data communication network and related devices |
US20060068757A1 (en) * | 2004-09-30 | 2006-03-30 | Sukumar Thirunarayanan | Method, apparatus and system for maintaining a persistent wireless network connection |
FR2876521A1 (en) * | 2004-10-07 | 2006-04-14 | France Telecom | METHOD FOR AUTHENTICATING A USER, DEVICE USING SUCH A METHOD, AND SIGNALING SERVER |
KR100600605B1 (en) * | 2004-11-03 | 2006-07-13 | 한국전자통신연구원 | Apparatus and method for user and terminal data management of portable internet system |
US8010994B2 (en) * | 2005-05-16 | 2011-08-30 | Alcatel Lucent | Apparatus, and associated method, for providing communication access to a communication device at a network access port |
US8621577B2 (en) | 2005-08-19 | 2013-12-31 | Samsung Electronics Co., Ltd. | Method for performing multiple pre-shared key based authentication at once and system for executing the method |
KR100729729B1 (en) * | 2005-12-10 | 2007-06-18 | 한국전자통신연구원 | authentication device and method of access point in wireless portable internet system |
KR100790495B1 (en) * | 2006-03-07 | 2008-01-02 | 와이즈와이어즈(주) | Authentication Method, System, Server and Recording Medium for Controlling Mobile Communication Terminal by Using Encryption Algorithm |
DE102007016117A1 (en) * | 2007-04-03 | 2008-10-16 | Siemens Ag | Method and system for providing a REL token |
JP4928364B2 (en) * | 2007-06-25 | 2012-05-09 | 日本電信電話株式会社 | Authentication method, registered value generation method, server device, client device, and program |
WO2009001447A1 (en) * | 2007-06-27 | 2008-12-31 | Fujitsu Limited | Authentication method, authentication system, authentication device, and computer program |
KR100924315B1 (en) * | 2007-11-16 | 2009-11-02 | 넷큐브테크놀러지 주식회사 | Authentification system of wireless-lan with enhanced security and authentifiaction method thereof |
KR101065326B1 (en) * | 2009-08-06 | 2011-09-16 | 국방과학연구소 | Method for authenticating the user of web service using physical network address on intranet |
KR101133210B1 (en) * | 2010-05-22 | 2012-04-05 | 오중선 | Mobile Authentication System and Central Control System |
KR101493214B1 (en) | 2012-10-31 | 2015-02-24 | 삼성에스디에스 주식회사 | Method for password based authentication and apparatus executing the method |
WO2014069783A1 (en) * | 2012-10-31 | 2014-05-08 | 삼성에스디에스 주식회사 | Password-based authentication method, and apparatus for performing same |
KR101483901B1 (en) * | 2014-01-21 | 2015-01-16 | (주)이스트소프트 | Intranet security system and method |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6282575B1 (en) * | 1997-12-11 | 2001-08-28 | Intel Corporation | Routing mechanism for networks with separate upstream and downstream traffic |
US20020010857A1 (en) * | 2000-06-29 | 2002-01-24 | Kaleedhass Karthik | Biometric verification for electronic transactions over the web |
US6393484B1 (en) * | 1999-04-12 | 2002-05-21 | International Business Machines Corp. | System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks |
US6396484B1 (en) * | 1999-09-29 | 2002-05-28 | Elo Touchsystems, Inc. | Adaptive frequency touchscreen controller using intermediate-frequency signal processing |
US20020075844A1 (en) * | 2000-12-15 | 2002-06-20 | Hagen W. Alexander | Integrating public and private network resources for optimized broadband wireless access and method |
US20020130764A1 (en) * | 2001-03-14 | 2002-09-19 | Fujitsu Limited | User authentication system using biometric information |
US20020156708A1 (en) * | 1998-12-30 | 2002-10-24 | Yzhak Ronen | Personalized internet server |
US20020194477A1 (en) * | 2000-01-28 | 2002-12-19 | Norio Arakawa | Device authentication apparatus and method, and recorded medium on which device authentication program is recorded |
US6539479B1 (en) * | 1997-07-15 | 2003-03-25 | The Board Of Trustees Of The Leland Stanford Junior University | System and method for securely logging onto a remotely located computer |
US6766454B1 (en) * | 1997-04-08 | 2004-07-20 | Visto Corporation | System and method for using an authentication applet to identify and authenticate a user in a computer network |
US7047408B1 (en) * | 2000-03-17 | 2006-05-16 | Lucent Technologies Inc. | Secure mutual network authentication and key exchange protocol |
US7487535B1 (en) * | 2002-02-01 | 2009-02-03 | Novell, Inc. | Authentication on demand in a distributed network environment |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CZ20014168A3 (en) * | 1999-05-21 | 2002-05-15 | International Business Machines Corporation | Process and apparatus for initialization of safeguarded communication and for creating exclusive couples pairs of wireless devices |
US7174564B1 (en) * | 1999-09-03 | 2007-02-06 | Intel Corporation | Secure wireless local area network |
KR20010083377A (en) * | 2000-02-11 | 2001-09-01 | 박순규 | User-Server Identity Authentication Using System Information |
FI111119B (en) | 2000-05-26 | 2003-05-30 | Radionet Oy Ab Ltd | Method and equipment for data transfer |
JP2001346257A (en) | 2000-06-01 | 2001-12-14 | Akesesu:Kk | Security system for portable wireless terminal, portable wireless terminal, and recording medium for recording program for security |
KR100438155B1 (en) * | 2001-08-21 | 2004-07-01 | (주)지에스텔레텍 | Wireless local area network sytem and method for managing the same |
-
2002
- 2002-03-16 KR KR1020020014276A patent/KR100883648B1/en not_active IP Right Cessation
-
2003
- 2003-02-14 EP EP03250931A patent/EP1345386B1/en not_active Expired - Fee Related
- 2003-02-14 JP JP2003035865A patent/JP3863852B2/en not_active Expired - Fee Related
- 2003-02-14 DE DE60313910T patent/DE60313910T2/en not_active Expired - Fee Related
- 2003-02-14 CN CNB031044476A patent/CN1206838C/en not_active Expired - Fee Related
- 2003-03-10 US US10/383,729 patent/US20030177350A1/en not_active Abandoned
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6766454B1 (en) * | 1997-04-08 | 2004-07-20 | Visto Corporation | System and method for using an authentication applet to identify and authenticate a user in a computer network |
US6539479B1 (en) * | 1997-07-15 | 2003-03-25 | The Board Of Trustees Of The Leland Stanford Junior University | System and method for securely logging onto a remotely located computer |
US6282575B1 (en) * | 1997-12-11 | 2001-08-28 | Intel Corporation | Routing mechanism for networks with separate upstream and downstream traffic |
US20020156708A1 (en) * | 1998-12-30 | 2002-10-24 | Yzhak Ronen | Personalized internet server |
US6393484B1 (en) * | 1999-04-12 | 2002-05-21 | International Business Machines Corp. | System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks |
US6396484B1 (en) * | 1999-09-29 | 2002-05-28 | Elo Touchsystems, Inc. | Adaptive frequency touchscreen controller using intermediate-frequency signal processing |
US20020194477A1 (en) * | 2000-01-28 | 2002-12-19 | Norio Arakawa | Device authentication apparatus and method, and recorded medium on which device authentication program is recorded |
US7047408B1 (en) * | 2000-03-17 | 2006-05-16 | Lucent Technologies Inc. | Secure mutual network authentication and key exchange protocol |
US20020010857A1 (en) * | 2000-06-29 | 2002-01-24 | Kaleedhass Karthik | Biometric verification for electronic transactions over the web |
US20020075844A1 (en) * | 2000-12-15 | 2002-06-20 | Hagen W. Alexander | Integrating public and private network resources for optimized broadband wireless access and method |
US20020130764A1 (en) * | 2001-03-14 | 2002-09-19 | Fujitsu Limited | User authentication system using biometric information |
US7487535B1 (en) * | 2002-02-01 | 2009-02-03 | Novell, Inc. | Authentication on demand in a distributed network environment |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7024690B1 (en) * | 2000-04-28 | 2006-04-04 | 3Com Corporation | Protected mutual authentication over an unsecured wireless communication channel |
US20040054798A1 (en) * | 2002-09-17 | 2004-03-18 | Frank Ed H. | Method and system for providing seamless connectivity and communication in a multi-band multi-protocol hybrid wired/wireless network |
US20130242967A1 (en) * | 2003-03-14 | 2013-09-19 | Canon Kabushiki Kaisha | Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to |
US9161220B2 (en) * | 2003-03-14 | 2015-10-13 | Canon Kabushiki Kaisha | Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to |
US20090260083A1 (en) * | 2003-05-21 | 2009-10-15 | Foundry Networks, Inc. | System and method for source ip anti-spoofing security |
US8245300B2 (en) | 2003-05-21 | 2012-08-14 | Foundry Networks Llc | System and method for ARP anti-spoofing security |
US8918875B2 (en) | 2003-05-21 | 2014-12-23 | Foundry Networks, Llc | System and method for ARP anti-spoofing security |
US8533823B2 (en) | 2003-05-21 | 2013-09-10 | Foundry Networks, Llc | System and method for source IP anti-spoofing security |
US20090265785A1 (en) * | 2003-05-21 | 2009-10-22 | Foundry Networks, Inc. | System and method for arp anti-spoofing security |
US20040255154A1 (en) * | 2003-06-11 | 2004-12-16 | Foundry Networks, Inc. | Multiple tiered network security system, method and apparatus |
US8249096B2 (en) | 2003-08-01 | 2012-08-21 | Foundry Networks, Llc | System, method and apparatus for providing multiple access modes in a data communications network |
US20100325700A1 (en) * | 2003-08-01 | 2010-12-23 | Brocade Communications Systems, Inc. | System, method and apparatus for providing multiple access modes in a data communications network |
US8681800B2 (en) | 2003-08-01 | 2014-03-25 | Foundry Networks, Llc | System, method and apparatus for providing multiple access modes in a data communications network |
US20100223654A1 (en) * | 2003-09-04 | 2010-09-02 | Brocade Communications Systems, Inc. | Multiple tiered network security system, method and apparatus using dynamic user policy assignment |
US8239929B2 (en) * | 2003-09-04 | 2012-08-07 | Foundry Networks, Llc | Multiple tiered network security system, method and apparatus using dynamic user policy assignment |
US20100333191A1 (en) * | 2003-09-23 | 2010-12-30 | Foundry Networks, Inc. | System and method for protecting cpu against remote access attacks |
US8893256B2 (en) | 2003-09-23 | 2014-11-18 | Brocade Communications Systems, Inc. | System and method for protecting CPU against remote access attacks |
US8528071B1 (en) | 2003-12-05 | 2013-09-03 | Foundry Networks, Llc | System and method for flexible authentication in a data communications network |
US20090031395A1 (en) * | 2004-09-13 | 2009-01-29 | Xcomm Box, Inc. | Security system for wireless networks |
US20060059538A1 (en) * | 2004-09-13 | 2006-03-16 | Xcomm Box, Inc. | Security system for wireless networks |
US7904952B2 (en) | 2004-10-12 | 2011-03-08 | Bce Inc. | System and method for access control |
US20060080534A1 (en) * | 2004-10-12 | 2006-04-13 | Yeap Tet H | System and method for access control |
US7991151B2 (en) * | 2004-11-04 | 2011-08-02 | France Telecom | Method for secure delegation of calculation of a bilinear application |
US20070260882A1 (en) * | 2004-11-04 | 2007-11-08 | David Lefranc | Method for Secure Delegation of Calculation of a Bilinear Application |
US7996894B1 (en) * | 2005-02-15 | 2011-08-09 | Sonicwall, Inc. | MAC address modification of otherwise locally bridged client devices to provide security |
US20070174906A1 (en) * | 2005-11-15 | 2007-07-26 | Credant Technologies, Inc. | System and Method for the Secure, Transparent and Continuous Synchronization of Access Credentials in an Arbitrary Third Party System |
US20160277420A1 (en) * | 2015-03-16 | 2016-09-22 | International Business Machines Corporation | File and bit location authentication |
US9674203B2 (en) * | 2015-03-16 | 2017-06-06 | International Business Machines Corporation | File and bit location authentication |
CN110831003A (en) * | 2018-08-13 | 2020-02-21 | 广东亿迅科技有限公司 | Authentication method and system based on WLAN flexible access network |
Also Published As
Publication number | Publication date |
---|---|
CN1445963A (en) | 2003-10-01 |
CN1206838C (en) | 2005-06-15 |
EP1345386A3 (en) | 2004-02-04 |
DE60313910T2 (en) | 2008-01-17 |
EP1345386A2 (en) | 2003-09-17 |
JP2003289301A (en) | 2003-10-10 |
JP3863852B2 (en) | 2006-12-27 |
KR100883648B1 (en) | 2009-02-18 |
DE60313910D1 (en) | 2007-07-05 |
EP1345386B1 (en) | 2007-05-23 |
KR20030075224A (en) | 2003-09-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20030177350A1 (en) | Method of controlling network access in wireless environment and recording medium therefor | |
US8726022B2 (en) | Method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely | |
EP1422875B1 (en) | Wireless network handoff key | |
JP4615892B2 (en) | Performing authentication within a communication system | |
US9009479B2 (en) | Cryptographic techniques for a communications network | |
JP4160049B2 (en) | Method and system for providing access to services of a second network through a first network | |
US20030084287A1 (en) | System and method for upper layer roaming authentication | |
US20090100262A1 (en) | Apparatus and method for detecting duplication of portable subscriber station in portable internet system | |
CN1444362A (en) | Distribution method of wireless local area network encrypted keys | |
JP2004164576A (en) | Method and system for authenticating user in public wireless lan service system, and recording medium | |
US8788821B2 (en) | Method and apparatus for securing communication between a mobile node and a network | |
JP3792648B2 (en) | Wireless LAN high-speed authentication method and high-speed authentication method | |
US20050144459A1 (en) | Network security system and method | |
JPH11331181A (en) | Network terminal authenticating device | |
JP4677784B2 (en) | Authentication method and system in collective residential network | |
CN1301608C (en) | Method for implementing peer-to-peer WLAN with center certification | |
JP4169534B2 (en) | Mobile communication service system | |
WO2001037477A1 (en) | Cryptographic techniques for a communications network | |
EP3439260B1 (en) | Client device ticket | |
Pastrone | Fast Authentication in Heterogeneous Wireless Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LEE, KYUNG-HEE;REEL/FRAME:013855/0019 Effective date: 20030305 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |